Introducing Hyperlight: Virtual machine-based security for functions at scale
The Microsoft Azure Core Upstream team is excited to announce the Hyperlight…
Object storage is one of the core services offered by cloud platforms, as it allows developers to store any kind of unstructured data, conveniently and flexibly. Even if you’re not a developer, there are countless apps, libraries and tools that you can integrate in your daily workflow to leverage object storage on the cloud, for example for backups or just to store your data in a safe, reliable place.
Microsoft Azure provides excellent object storage with Azure Blob Storage, which offers unmatched durability, virtually infinite capacity and multiple tiers of storage, all at very convenient rates. However, because Azure Blob Storage was developed before the world decided to “standardize” on the S3 APIs, the two use different interfaces, and so most applications and libraries designed to work with Amazon S3 do not support Azure out-of-the-box. Many third-party and open source apps, libraries and tools are built to take advantage of S3, including very popular tools like s3cmd; not all of them have built-in support for Azure Blob Storage, however.
The solution is incredibly simple, and it’s a free, lightweight, open source app called Minio: an object storage server that exposes S3-compatible APIs. Minio’s main goal was to simply expose local storage as object storage, but recently the developers have implemented a gateway feature that allows proxying requests to — you guessed it — Azure Blob Storage.
In short, Minio allows us to convert Azure Blob Storage APIs to Amazon S3! Best of all: Minio itself is very lightweight (written in Golang), and it’s available as a Docker container.
Running Minio as a Docker container is really simple:
$ docker run -p 9000:9000 \ -e "MINIO_ACCESS_KEY=azureaccountname" \ -e "MINIO_SECRET_KEY=azureaccountkey" \ minio/minio gateway azure
Minio is a self-hosted solution, which means that you will need a server to run it. Thanks to Minio developers publishing Docker containers, however, a very simple and cost-effective solution is to use Azure Web Apps on Linux and custom container support.
To deploy Minio on an Azure Web App, follow these simple steps. You will need the Azure CLI 2.0 (or “az cli”) installed on your machine, and, of course, an Azure subscription (or a free trial).
If you haven’t done it already, log in to Azure using the CLI with this command, then follow the instructions on the terminal to authenticate using the web browser:
$ az login
The first thing we need to do is to create a Resource Group, which is nothing but a logical grouping unit where all of our Azure resources are deployed:
$ az group create --name "Minio" --location "WestUS"
Next, we will create the actual Blob Storage Account in which our data will be stored; you can skip this if you already have a Storage Account that you want to use. There are multiple tiers of storage (hot vs cool), and multiple levels of redundancy (LRS, GRS, RA-GRS); for an explanation of the different options, I’m better off referring you to the official documentation. In this example, we’re using a “Blob Storage Account” (a new kind of Storage Account that offers hot and cool storage, and lower rates for both), in LRS (Locally Redundant Storage: data is replicated 3 times within the same Azure datacenter) and “cool” tier (data is always online, but retrievals are charged a small fee per GB). Note that we’re adding two recurring parameters for the Resource Group and location as well. The full list of options for the command below is in the CLI reference. Lastly, remember that the name of the storage account has to be globally unique.
$ az storage account create \
--name "aleminiostorage" \
--kind BlobStorage \
--sku Standard_LRS \
--access-tier Cool \
--resource-group "Minio" \
--location "WestUS"
After the account is created, we need to get the Account Key:
$ az storage account show-connection-string \
--name "aleminiostorage" \
--resource-group "Minio"
# Output
{
"connectionString": "DefaultEndpointsProtocol=https;EndpointSuffix=core.windows.net;AccountName=aleminiostorage;AccountKey=rOduFZr22jJ+..."
}
The Account Key is at the end of the connectionString
parameter (in bold above, truncated), and it’s a base64-encoded string. Take note of that, as we’ll need it in the next steps.
It’s now time to deploy Minio to the Web App on Linux. First, we need to create an App Service Plan, which represents the managed VM(s) that will serve our app; after that, we’re creating a Web App inside it. We’re picking a “B1” (Basic 1) tier, which should be enough to run our lightweight Minio app; note also the --is-linux
flag, to create a Linux-based Web App. As in the case of the storage account, the name of the Web App (aleminio
in the example below) has to be globally unique too. We’re also configuring the Web App to run the minio/minio
image from Docker Hub.
Note: Traffic between your Azure Web App and the Azure Storage Account is free of charge, for as long as the two are in the same Azure Region.
# Create the App Service Plan
$ az appservice plan create \
--name "MinioAppPlan" \
--is-linux \
--sku B1 \
--resource-group "Minio" \
--location "WestUS"
# Create the Web App configured with the minio/minio container
$ az webapp create \
--name "aleminio" \
--deployment-container-image-name "minio/minio" \
--plan "MinioAppPlan" \
--resource-group "Minio"
The Web App on Linux should now be up and running, at the URL webappname.azurewebsites.net – in my example, https://aleminio.azurewebsites.net
.
On the last step, let’s configure Minio on the Web App. First, we need to pass the configuration as environmental variables, similarly to what we did with the -e
flag in the Docker run command above. We then need to tell the Web App what command to execute on the Docker container to start Minio in gateway mode.
# Environmental variables # The value for MINIO_ACCESS_KEY is the name of the Storage Account # Fill MINIO_SECRET_KEY with the Storage Account Key instead $ az webapp config appsettings set \ --settings "MINIO_ACCESS_KEY=aleminiostorage" "MINIO_SECRET_KEY=rOduFZr22jJ+..." "PORT=9000" \ --name "aleminio" \ --resource-group "Minio" # Startup command $ az webapp config set \ --startup-file "gateway azure" \ --name "aleminio" \ --resource-group "Minio"
We’re done! Give the Web App a few seconds to start, then you’ll have your Minio Amazon S3-compatible gateway working!
Configure your client apps/libraries with the following settings:
https://webappname.azurewebsites.net
, replacing webappname with the name of your Web App (and note the use of https)As an example, let’s configure s3cmd to use our own Minio server.
Download the s3cmd binary from GitHub and extract it somewhere.
Note: make sure you’re using s3cmd 2.0.1 or higher, as previous releases have issues with Minio as gateway to Azure Storage. Likewise, please make sure you’re using Minio 2017-10-27 or higher.
Create then a file named ~/.s3cfg
to configure s3cmd:
# Setup endpoint: hostname of the Web App host_base = aleminio.azurewebsites.net host_bucket = aleminio.azurewebsites.net # Leave as default bucket_location = us-east-1 use_https = True # Setup access keys # Access Key = Azure Storage Account name access_key = aleminiostorage # Secret Key = Azure Storage Account Key secret_key = rOduFZr22jJ+... # Use S3 v4 signature APIs signature_v2 = False
You should be able to use s3cmd now! Some examples:
# Create a bucket $ ./s3cmd mb s3://testbucket Bucket 's3://testbucket/' created # List all buckets $ ./s3cmd ls s3:// 2017-06-12 19:58 s3://testbucket # Uplaod some files $ ./s3cmd put photos/* s3://testbucket
That’s it! Now it’s your turn to play with Minio on Azure. From deploying apps on Azure that wouldn’t work with our object storage before, to using s3cmd with Azure Blob Storage for backups, it’s now possible, and easy to do.
Questions or comments? Let me know in the comments.